Professional Documents
Culture Documents
Shed Den 2011
Shed Den 2011
Access to this document was granted through an Emerald subscription provided by emerald-srm:203778 []
For Authors
If you would like to write for this, or any other Emerald publication, then please use our Emerald for
Authors service information about how to choose which publication to write for and submission guidelines
are available for all. Please visit www.emeraldinsight.com/authors for more information.
About Emerald www.emeraldinsight.com
Emerald is a global publisher linking research and practice to the benefit of society. The company
manages a portfolio of more than 290 journals and over 2,350 books and book series volumes, as well as
providing an extensive range of online products and additional customer resources and services.
Emerald is both COUNTER 4 and TRANSFER compliant. The organization is a partner of the Committee
on Publication Ethics (COPE) and also works with Portico and the LOCKSS initiative for digital archive
preservation.
VINE
41,2 Incorporating a knowledge
perspective into security risk
assessments
152
Piya Shedden, Rens Scheepers, Wally Smith and Atif Ahmad
Department of Information Systems,
University of Melbourne, Melbourne, Australia
Abstract
Downloaded by UNIVERSITY OF OTAGO At 12:55 04 December 2016 (PT)
Purpose – Many methodologies exist to assess the security risks associated with unauthorized
leakage, modification and interruption of information used by organisations. This paper argues that
these methodologies have a traditional orientation towards the identification and assessment of
technical information assets. This obscures key risks associated with the cultivation and deployment
of organisational knowledge. The purpose of this paper is to explore how security risk assessment
methods can more effectively identify and treat the knowledge associated with business processes.
Design/methodology/approach – The argument was developed through an illustrative case study
in which a well-documented traditional methodology is applied to a complex data backup process.
Follow-up interviews were conducted with the organisation’s security managers to explore the results
of the assessment and the nature of knowledge “assets” within a business process.
Findings – It was discovered that the backup process depended, in subtle and often informal ways,
on tacit knowledge to sustain operational complexity, handle exceptions and make frequent
interventions. Although typical information security methodologies identify people as critical assets,
this study suggests a new approach might draw on more detailed accounts of individual knowledge,
collective knowledge and their relationship to organisational processes.
Originality/value – Drawing on the knowledge management literature, the paper suggests
mechanisms to incorporate these knowledge-based considerations into the scope of information
security risk methodologies. A knowledge protection model is presented as a result of this research.
This model outlines ways in which organisations can effectively identify and treat risks around
process knowledge critical to the business.
Keywords Data security, Risk management, Information systems, Risk assessment
Paper type Case study
Introduction
Information security is of paramount importance to organisations. Information security
risk assessments (ISRAs) enable organisations to identify their key information assets
and risks in order to develop effective and economically-viable control strategies
(Baskerville, 1991; Roper, 1999; Peltier, 2001; den Braber et al., 2007). Various popular
ISRA methodologies are used in industry, including Operationally Critical Threat
and Vulnerability Evaluation (OCTAVE), CRAMM (Central Computing and
Telecommunications Agency – CCTA) Risk Analysis and Management Method),
NIST SP800-30 and the AS/NZS 4360 standard (Stoneburner et al., 2002; Yazar, 2002;
VINE: The journal of information and Alberts and Dorofee, 2004; AS/NZS, 2004). These ISRA methodologies ensure that critical
knowledge management systems assets are identified through a rigorous process involving various stakeholders, including
Vol. 41 No. 2, 2011
pp. 152-166 senior management, operational managers and technical staff (Alberts and Dorofee, 2004).
q Emerald Group Publishing Limited This facilitates protective action for valuable or critical assets whilst also ensuring that
0305-5728
DOI 10.1108/03055721111134790 resources are not wasted on protecting lesser risks or unimportant assets (Visintine, 2003).
Significantly, these risk assessments tend to be asset-focussed in that they are based on Security risk
identifying information as objects of value that are threatened, have vulnerabilities and assessments
require protection (Shedden et al., 2006).
Distinct from the discourse on information security, the literature on knowledge
management has emphasised the strategic value of tacit and explicit organisational
knowledge. Organisational knowledge is seen as having an inherent competitive and
commercial value; any loss or degradation of knowledge will adversely affect a company’s 153
ability to operate in a normal manner (Davenport and Prusak, 1998; Hansen et al., 1999;
Alavi and Leidner, 2001). Further, such losses can harm employee morale, customer
confidence or have a direct impact on competitive performance. Some commentators have
suggested that the protection of knowledge has not received adequate attention in the
organisational security arena, despite its criticality (Bloodgood and Salisbury, 2001;
Downloaded by UNIVERSITY OF OTAGO At 12:55 04 December 2016 (PT)
Maynard and Ruighaver, 2003; Gold et al., 2001; Holsapple and Jones, 2005).
This paper will argue the need to move beyond the current asset focus within security
through an exploration of knowledge security (Shedden et al., 2009). The next section
of this paper reviews current ISRAs and explains their focus on information assets.
Following this, there is an exploration of the crucial but overlooked role of knowledge
which, as noted by Davenport and Prusak (1998), is “baked into” organisational
processes. The connection between risk and knowledge through an illustrative case
study is established, whereby we apply a typical ISRA methodology – OCTAVE-S – to
a core organisational process. Finally, we discuss the deficiencies of security risk
assessment in OCTAVE-S in terms of process knowledge and consider how a knowledge
perspective could be incorporated in security risk assessments in general.
On the one hand, knowledge sharing is viewed as a valuable activity that gives
individuals access to knowledge that will assists in completing tasks (Alavi and Leidner,
1999; Fischer and Ostwald, 2001). On the other hand, from an information security
standpoint, such sharing activities bring new risks of knowledge falling into the “wrong
minds” and providing a means to inflict harm on the organisation or on its customers
and partners (Whitman and Mattord, 2005).
Some commentators have explored the possibility that current knowledge management
philosophies are inherently insecure. The need for a supportive “knowledge control”
process has been outlined – ensuring that required knowledge processors and resources
are available in sufficient quality and quantity, subject to security requirements (Holsapple
and Jones, 2005). However, there are few suggestions in the literature as to how this could
be accomplished. One of the few proposals, for example, is “data sanitisation” of codified
knowledge (Oliveira and Zaiane, 2003). Holsapple and Jones (2005) also argue that using
security risk management standards may be an option and that access controls and
monitoring facilities should also be provided. This would aim to limit availability of the
knowledge and increase confidentiality from a security perspective. Bloodgood and
Salisbury (2001) further discuss the merits of limiting access to knowledge and ensuring
that there is no single point of failure (e.g. no single employee knows all).
Gold et al. (2001) have broadly suggested several means to protect knowledge, including
asset-based ISRAs. However, asset-based risk assessment methods typically deal only with
explicit knowledge (i.e. that which can be codified or articulated in documents, databases,
etc.). Yet, as argued above, not all knowledge can be rendered explicit, nor can explicit
records of knowledge often be understood and applied without related tacit knowledge.
Indeed, it has been argued that the two forms of knowledge are “mutually constituted”
(Tsoukas, 2004) and explicit encodings must be actively re-contextualised on application.
In summary, it appears that is not sufficient to augment current ISRA methodologies
merely by including the identification of “knowledge assets” in the form of databases,
or even key people (Shedden et al., 2009). Indeed, a complex organisational process tends
to rely on both explicit and tacit knowledge of various individuals and networks of
experts. Therefore, understanding the full spectrum of risks associated with a particular
process extends considerably beyond individuals and information assets alone. This
line of thought suggests that if we wish to consider knowledge as a possible source
of risk, the asset-based risk identification approach is likely to be insufficient
(Shedden et al., 2009).
VINE Issues in asset identification: an illustrative case study
41,2 In this section, we present a brief case study that illustrates the limitations of current
ISRA methodologies that result from neglecting the knowledge aspects of processes
and their relationship with possible risks.
Research methodology
156 Our approach was first to apply a traditional ISRA methodology to identify critical
information assets in a knowledge-intensive work process involving IT. Importantly,
we then went beyond the traditional method – through the use of narrative and a
qualitative analysis based on holistic interviews – to probe the role of critical process
knowledge that was not explicitly addressed by the methodology. The use of an
exploratory case study is appropriate in this under-researched area (Eisenhardt, 1989;
Downloaded by UNIVERSITY OF OTAGO At 12:55 04 December 2016 (PT)
Benbasat et al., 1987; Yin, 2003) and its small size is sufficient to illustrate the knowledge
gap in current ISRA methodologies without attempting to fully chart that gap.
A company, SoftCo (a pseudonym), was selected for study on the basis that it:
. had a need for ISRA because security was of significant concern to its managers;
and
.
presented a sufficiently complex yet understandable process for analysis.
to an off-site backup server. The security head creates workable versions of these scripts
initially; but, significantly, they must be continually “tweaked” thereafter, meaning
polished and refined for efficiency and effectiveness. The backed-up data (including
historical backups going back to the founding of SoftCo) is of high ongoing value given
that problems occur that require data restoration weekly.
Asset
category Asset identified Description
Data Production data The data that passes through the live production environment,
including scripts, spreadsheets and directory structures. This is
the data to be backed up
Backup files – The backed-up translation maps (text-based scripts that
translation maps “translate” the contents of invoices and order forms into a format
readable by the customer organisation’s partner company)
Stored off-site at a remotely-managed data center
Backup files – live The backup files of the data that flows through the production
data environment. Includes order forms, invoices, SQL database back
ups, scripts and e-mails. Stored off-site at a remotely-managed
data center
People Security head and The information security managers of the organisation. If they
co-security manager are not on-hand, the back up process will fail
Applications Backup scripts The backup scripts are proprietary software that points the data Table I.
from the live production environment to the backup storage Critical asset
locations identification results
VINE about the backup process. Though questions were asked by the method on what
41,2 knowledge a person might have (“what special skills or knowledge are provided by this
person?”), it serves as a justification for the person to be considered a critical asset. The
knowledge itself is not the target of an asset identification process nor does it surface any
information about what those people know. For SoftCo, the security managers were
identified as being information assets whose availability needed to be preserved.
158 However, after analysis of the workshop transcriptions and follow-up interviews,
a deeper understanding of the backup process and its key assets emerged related
specifically to the key knowledge required in order to keep the process operational.
It became apparent that while OCTAVE-S did identify the higher level information
assets critical to the ongoing operations of the backup process, it did not identify process
knowledge. Key individuals were identified and described by the methodology, but not
Downloaded by UNIVERSITY OF OTAGO At 12:55 04 December 2016 (PT)
the richness and variety of their knowledge, including that which is tacit and explicit,
and also the security managers’ network of knowledge. If this knowledge was lost or not
on hand for application, the process would fail with the potential for a “catastrophic”
(as reported by the participants) failure of the backup process.
Key individuals
OCTAVE-S identified key personnel as part of its information asset identification process.
As has been described, the security managers (who we refer to as their job titles: security
head and co-security manager) are responsible for the monitoring and maintenance of
the backup process to ensure its continued operation. Despite extensive automation of
the process through the backup scripts, the security managers’ interventions were
still required. The security head outlined that their maintenance of the process was
important.
Specifically, the application of OCTAVE-S enabled the risk-evaluation team to
identify that the security managers were essential for the process. Otherwise, the backup
process itself would fail. Again, reported by the security head:
If we weren’t here, the backups would continue to function and everything would continue to
work – if nothing stopped – it would run for about three weeks, and then stop because the
server we back up to fails. It will get full. So there’s some things where we actually manually
go in and delete because you’re not prepared to trust another process to automatically delete
them.
OCTAVE-S identified that in order for the backup process to remain in operation,
the availability of the security managers would need to be preserved. The security
managers would need to be in contact with and remain in control of the process through
monitoring its functions, which they currently do through the use of e-mail and mobile
phone alerts. Additionally, they have enacted an informal mechanism of staggering
leave and absences.
the backup scripts over the course of many years. When discussing the nature of the
backup process itself, the security head outlined that while it would be possible to
document some elements of the process, it would not be possible to capture everything
due to its “messy” complexity:
Either one of us is critical. But if both of us weren’t here, it would be difficult for someone else
to come in and work out what we’re doing, because it’s so scripted and script-based and this
process interacts with that process, so it’s almost like spaghetti, to a degree. I mean it’s very
robust spaghetti, but if you had to flow-chart it all out, it would be a very messy flowchart.
This is further reinforced by the co-security manager’s comments on their attempts at
documentation and capturing their knowledge in codified form. When discussing how
much could actually be clearly articulated into procedures, the co-security manager
explained that documentation could cover the general perspective, as he explained:
You still need to apply a level of understanding of the environment to understand how it
works before; documentation will only tell you, like [. . .] There’s only so much you can do,
maybe 70 per cent of it but then you need the experience outside of it to understand how it
works.
The additional 30 per cent comes from their own experience and would be difficult
to articulate. Though this is a routine process, the participants surprisingly reported
that the ad hoc nature of this process’ development and the organic organisational
environment it resided in left a number of tacit subtleties that would be difficult to
articulate clearly or describe.
Therefore, there exists a great deal of tacit knowledge within the backup process that
relates to an understanding of its complexities and how it actually operates. OCTAVE-S
does not capture this tacit component. Consequently, methods to increase availability of
this knowledge (to prevent process failure) are not suggested by the methodology either.
of the backup process are, as stated by security head, “a product of both our thinking”.
However, their individual knowledge is also of critical importance, including that
knowledge which is tacit and difficult to qualify and explain (“it would be a very messy
flowchart”) and that knowledge which is explicit and can be codified (“it has to be
documented for people to know what’s going on”).
Discussion
Using the SoftCo case as illustration, we now return to the central issue of the
limits of traditional ISRAs like OCTAVE-S and consider the possible contribution of a
knowledge management perspective. According to the analysis of the backup process
produced by OCTAVE-S (Table I), the risks facing SoftCo can be neatly partitioned into
the threats and vulnerabilities associated with five separable assets: data (production,
translation maps, and live); people (security head and co-security manager); applications
(backup scripts). If any one of these assets is lost or damaged, the organisation will suffer
and the total risk becomes the summation of the risks across the five categories. In this
view, the role of knowledge is recognised only indirectly through the identification of
“key individuals” as assets that might suffer loss.
In contrast, a knowledge management perspective offers a very different view. First,
a risk analysis might identify the various types of knowledge on which the process
depends. Second, and following on, it is important then to distinguish between
explicit and tacit knowledge because they present different kinds of risk, one being
documentable while the other is not. Third, it is also productive to recognise the way that
these tacit and explicit forms of knowledge are “mutually constituted”, one depending
on the other for its meaning and value. Fourth, attention must be given to the way
knowledge is embedded in practices; so it might not be observable or transferable away
from the relevant task. And fifth, attention must also be paid to the distributed nature
of knowledge, or the way it is typically co-produced and co-utilised by a collective.
Following these insights, a knowledge management perspective exposes the way that
the different asset categories produced by OCTAVE-S are not separable but instead are
deeply intertwined in the way they contribute to ongoing work and present risks.
An overall observation in our case study, and consistent with the knowledge
management perspective, was that knowledge only emerged as a key area of
vulnerability when focusing on an organisational process (Shedden et al., 2009). Without
a process viewpoint, asset-focused ISRAs naturally downplay the subtlety and value
of each individual’s knowledge. Neglect of the role of knowledge seems to be right
at the heart of the way ISRAs construct the world and then observe it. Although Security risk
Australian security risk management guidelines and handbooks do suggest that assessments
knowledge should be identified as an extension of a “staff” or “people” asset category,
this view is not uniform across ISRA methods or organisational implementations of
these methods (AS/NZS, 2004; Shedden, 2005; DSD, 2007). In particular, tacit knowledge,
which is impossible to articulate or codify but which inherently forms part of successful
execution is only likely to emerge from a process perspective in the analysis. 161
Moving beyond the identification of key people and traditional information security
risk mitigation (the asset-based approach), an augmented methodology should identify
critical knowledge that is pertinent to typically core or at least critical organisational
processes (Shedden et al., 2009). In this regard, tacit and explicit individual knowledge
and distributed knowledge that is pertinent to the process should be identified. In the
Downloaded by UNIVERSITY OF OTAGO At 12:55 04 December 2016 (PT)
case study, the two managers could be considered as a small community of practice.
As with asset-based approaches, risk mitigation strategies for critical knowledge should
form part of a knowledge-sensitive risk assessment. This would include strategies such
as socialisation and internalisation (Nonaka, 1994), which is the basis by which a degree
of tacit knowledge could be shared. For example, having an apprentice “shadowing” the
key managers could be one strategy to spread the intimate knowledge they possess of
the backup process to more people. Explicit knowledge relating to the process should
also be considered. In this regard, strategies such as documentation and systemisation
could be appropriate mitigation mechanisms to codify and combine explicit knowledge
about the process. This would make it easier for a newcomer to gain insight about the
backup process. Indeed, documentation of the backup process, at least those aspects
which could be articulated explicitly, should be available from a quality assurance and
general risk management perspective.
It should, however, be recognised that tacit and explicit knowledge are not easily
separated (Polanyi, 1967; Tsoukas, 1996). To codify the knowledge of the backup
process into procedures or documents would lead to a “very messy flowchart”. Given the
managers tacit knowledge, an outsider to this process would still find it difficult to know
when and why to follow said procedures and when interventions in the automated
process would be necessary. This underpins the need for a holistic knowledge
perspective as part of an overall ISRA.
A combined information security and knowledge perspective would identify that
knowledge of SoftCo’s backup process (and the organisation’s systems and security) is
concentrated into only two minds (i.e. too few people know too much). Few asset-based
ISRA methodologies would identify this as a key vulnerability. If either of these
employees grew disgruntled with their organisation, retired or resigned, this would
amount to a major threat for SoftCo’s systems and processes generally, including the
backup process. A combined perspective on this problem would facilitate action to
control this risk. This may include tradeoffs between increasing the availability of
knowledge (through knowledge sharing and externalisation, on a “need-to-know” basis)
cognisant of the risk of confidentiality breaches.
A practical example to establish the need for this model can be seen in the shift
in the nature of the Australian electrical industry. Electrical power networks underpin
modern society’s integrated and interdependent infrastructure and have therefore been
identified as critical infrastructure by most western nations. Much has been said regarding
the vulnerability of power networks to cyber terrorism as they are typically controlled
VINE by supervisory control and data acquisition (SCADA) computing systems. Although it is
41,2 quite possible that a computer virus may attack SCADA networks and subsequently
cause a power outage, manual “backup” control of power machines can always restore
services. In the past, the SEC employed a small team of electrical inspectors across
Australia that maintained power networks. These inspectors, by virtue of their intimate
and long-standing association with the power systems and their knowledge of the
162 vulnerabilities in the design of the system and its various safeguards, acted as a
countermeasure to security threats (accidental and malicious) and the consistent operation
of the system. Their small number and the tacit nature of the knowledge also made the
spread of this knowledge less likely. Although the electrical inspectors were unlikely to
have military style “clearances”, their small number and mutual associations kept critical
knowledge in-house. However, upon the privatisation of the electrical industry in
Downloaded by UNIVERSITY OF OTAGO At 12:55 04 December 2016 (PT)
Australia, the power infrastructure was divided and sold. Electrical inspectors came under
the employ of different companies. This prevented electrical inspectors from sharing
knowledge of potential security threats and countermeasures of the system as a whole.
Electrical inspectors with holistic knowledge of the old system are being replaced by
newcomers with little or none of the invaluable “bigger picture”.
As a practical example, the adoption of a knowledge-based approach as seen in
Figure 1 would have beneficial properties when running security risk assessments of
critical infrastructure. Such assessments are run frequently given the highly important
nature and national security impacts of utilities and services bound by the
“critical infrastructure” term. However, given the intense level of in-house knowledge
and difficulties in current methods providing information and knowledge sharing
infrastructures (NARUC, 2007), an ISRA operated under Figure 1 would highlight and
preserve the intricate tacit knowledge to assist in the education of newcomers under the
new system.
In summary, we suggest that a knowledge perspective could, and should, be
incorporated into ISRAs. We believe the identification of core knowledge can occur
through a business process-based focus. As illustrated by our second analysis of the case
study, this can occur through conducting qualitative interviews with relevant staff
members in the context of key business processes. Tools such as business processes
mapping and rich process descriptions could further help to facilitate the identification
Conclusion
ISRAs are important for organisations as they are the means by which critical 163
information assets are identified, their threats and vulnerabilities assessed and a level
of risk assigned and prioritised for future action. ISRA methodologies, however,
mostly adopt an asset-based focus. By means of an illustrative case study, we have
demonstrated the inherent limitations of a typical risk assessment methodology by
exploring what it misses: critical knowledge of staff in the context of a complex but
Downloaded by UNIVERSITY OF OTAGO At 12:55 04 December 2016 (PT)
References
Alavi, M. and Leidner, D.E. (1999), “Knowledge management systems: issues, challenges and
benefits”, Communications of the Association for Information Systems, Vol. 1 No. 7.
Alavi, M. and Leidner, D.E. (2001), “Knowledge management and knowledge management
systems: conceptual foundations and research issues”, MIS Quarterly, Vol. 25 No. 1,
pp. 107-36.
Alberts, C. and Dorofee, A. (2004), Managing Information Security Risks, Mellon Software
Engineering Institute, Pittsburgh, PA.
Alberts, C., Dorofee, A., Stevens, J. and Woody, C. (2003), Introduction to the OCTAVE Approach,
Carnegie Mellon Software Engineering Institute, Pittsburgh, PA.
AS/NZS (2004), Information Security Risk Management Guidelines, Standards
Australia/Standards New Zealand, Sydney/Wellington.
Baskerville, R.L. (1991a), “Risk analysis: an interpretive feasibility tool in justifying information
systems security”, European Journal of Information Systems, Vol. 1 No. 2, pp. 121-30.
Benbasat, I., Goldstein, D.K. and Mead, M. (1987), “The case research strategy in studies of
information systems”, MIS Quarterly, Vol. 11 No. 3, pp. 369-86.
VINE Blakely, B., McDermott, E. and Greer, D. (2002), “Information security is information risk
management”, NSFW ’01, Cloudcroft, NM.
41,2
Bloodgood, J.M. and Salisbury, W.D. (2001), “Understanding the influence of organizational
change management strategies on information technology and knowledge management
strategies”, Decision Support Systems, Vol. 31 No. 1, pp. 55-69.
Brown, J.S. and Duguid, P. (1991), “Organizational learning and communities of practice: toward
164 a unified view of working, learning and innovation”, Organization Science, Vol. 2 No. 1,
pp. 40-57.
Davenport, T.H. and Prusak, L. (1998), Working Knowledge: How Organizations Manage
What They Know, Harvard Business School Press, Boston, MA.
den Braber, F., Hogganvik, I., Lund, S., Stolen, K. and Vrallsen, F. (2007), “Model-based security
analysis in seven steps – a guided tour to the CORAS method”, BT Technology Journal,
Downloaded by UNIVERSITY OF OTAGO At 12:55 04 December 2016 (PT)
Shedden, P., Ruighaver, A.B. and Ahmad, A. (2006), “Risk management standards – the
perception of ease of use”, paper presented at the 5th Security Conference, Las Vegas, NV.
Shedden, P., Scheepers, R., Smith, W. and Ahmad, A. (2009), “Towards a knowledge perspective
in information security risk assessments – an illustrative case study”, Proceedings of
20th Australasian Conference on Information Systems ( ACIS 2009 ), Monash University,
Melbourne, 2-4 December.
Stair, R.M. and Reynolds, G.W. (1999), Principles of Information Systems, Course Technology,
Cambridge, MA.
Stoneburner, G., Goguen, A. and Feringa, A. (2002), Risk Management Guide for Information
Technology Systems, National Institute of Standards and Technology, Gaithersburg, MD.
Tsoukas, H. (1996), “The firm as a distributed knowledge system: a constructionist approach”,
Strategic Management Journal, Vol. 17, pp. 11-25.
Tsoukas, H. (2004), Complex Knowledge: Studies in Organizational Epistemology, Oxford
University Press, Oxford.
Visintine, V. (2003), An Introduction to Information Risk Assessment, SANS Institute, Denver, CO.
West, S., Crane, L.S. and Andres, A.D. (2002), OCTAVE-DITSCAP Comparative Analysis,
US Army Medical Research and Material Command, Fort Detrick, Fredrick.
Whitman, M.E. and Mattord, H.J. (2005), Principles of Information Security, Thomson Course
Technology, Menlo Park, CA.
Yazar, Z. (2002), A Qualitative Risk Analysis and Management Tool – CRAMM, SANS Institute,
Denver, CO.
Yin, R. (2003), Case Study Research, 3rd ed., Sage, Thousand Oaks, CA.
Zack, M. (1999), “Developing a knowledge strategy”, California Management Review, Vol. 41
No. 3, pp. 108-45.
Further reading
Dubin, R. (1969), Theory Building, The Free Press, New York, NY.
Grover, V. and Davenport, T.H. (2001), “General perspectives on knowledge management:
fostering a research agenda”, Journal of Management of Information Systems, Vol. 18
No. 1, pp. 5-21.
Halliday, S., Badenhorst, K. and von Solms, R. (1996), “A business approach to effective
information technology risk analysis and management”, Information Management &
Computer Security, Vol. 4 No. 1, pp. 19-31.
VINE Parker, M., Benson, R. and Traynor, H. (1988), Information Economics: Linking Business
Performance to Information Technology, Prentice-Hall, Englewood Cliffs, NJ.
41,2 Siponen, M.T. (2005), “An analysis of the traditional IS security approaches: implications for
research and practice”, European Journal of Information Systems, Vol. 14, pp. 303-15.
Spears, J. (2006), A Holistic Risk Analysis Method for Identifying Information Security Risks,
in Security Management, Integrity, and Internal Control in Information Systems, Springer,
166 Boston, MA, pp. 185-202.
Thompson, M.P.A. and Walsham, G. (2004), “Placing knowledge management in context”,
Journal of Management Studies, Vol. 41 No. 5, pp. 725-47.
Whetten, D.A. (1989), “What constitutes a theoretical contribution?”, The Academy of
Management Review, Vol. 14 No. 4, pp. 490-5.
Downloaded by UNIVERSITY OF OTAGO At 12:55 04 December 2016 (PT)
6. Ali Mohammad Padyab, Tero Paivarinta, Dan HarneskGenre-Based Assessment of Information and
Knowledge Security Risks 3442-3451. [CrossRef]
7. Areej AlHogail, Jawad BerriEnhancing IT security in organizations through knowledge management 1-6.
[CrossRef]
8. Ali Mohammad Padyab, Tero Päivärinta, Dan HarneskGenre-Based Approach to Assessing Information
and Knowledge Security Risks 1237-1253. [CrossRef]